Oct 13, 2010
We are used to regularly sharing personal information in the “real world”. At a bar, for example, we might be asked to show our ID for age verification. As a result of showing our ID, we also – unnecessarily, some might point out – reveal other personal information such as our full name to the other person. While this may be a cause of alarm for some, most people are not bothered by these small invasions of privacy – the potential for harm is simply not significant enough in most situations. Online, we constantly disclose certain personal information to strangers to partake in the Internet’s offerings. For example, many people will inadvertently reveal their full name, email address, physical address and telephone number to strangers they have only just met on Craigslist.
On the other hand, the information necessary to ensure the security and legality of certain online transactions remains difficult to verify. In particular, online age verification remains a significant obstacle, as pointed out in a study directed by the Harvard Berkman Center that analyzed 40 age verification technologies and found that “almost all [of them] present privacy and security issues that should be weighed against any potential benefits”. While the focus here is directed toward a provider’s or government’s need for certainty regarding one specific piece of information, keeping information private and making sharing of personal information more secure (from the users’ perspective) are closely related. So how would the ideal online identity system look? Who would be the key players? What are some of the key issues that must be addressed?
Generalizing from the above situations, a secure system is needed that contains our private data, is certified by reliable third parties, and allows us to share, only to the extent strictly necessary, such information with third parties. The concept is not a new one and has been the center of discussion across many forums; David Siegel, author of “Pull”, refers to it as the “personal data locker”. The concept raises concerns about access to and management of private data, causing one to wonder whether the government (an obvious candidate) or a private corporation like Facebook or Google would seek to manage our “personal data lockers”, in light of the amount of data such entities have already collected about individuals. I believe that the discussion has certainly become more mainstream in the past few months, with people increasingly discussing social network privacy terms, the pros and cons of targeted advertising and other important concepts related to online identity.
I recently attended the Online Trust and Cybersecurity Forum in Washington D.C., a conference in itsfifth year, organized by the Online Trust Alliance (OTA), which brings together thought-leaders from industry, academia and government. Most discussions centered around privacy and online user control, in particular with respect to collected data about user behaviors and preferences as well as personal information.
Ari Schwartz, Sr. Advisor for Internet Policy at the National Institute of Standards and Technology, led the “National Strategy for Trusted Identities in Cyberspace (NSTIC)” panel with participants from PayPal, Cyber Intelligence at the U.S. Postal Inspection Service, National Security Staff at the White House, and the Federal Trade Commission (FTC). NSTIC, led by Howard E. Schmidt, White House Cybersecurity Coordinator at the Office of the President, is part of the near-term action plan of President Obama’s Cyberspace Policy Review. Over the summer, NSTIC released a strategy draft document and received over 500 comments in an idea bank open to the public.
As was pointed out, this would not be a “government ID program” but rather a multi-disciplinary attempt to create an identity ecosystem for “secure, efficient, easy-to-use identity solutions”. In discussions during the breaks at the conference, there appeared to be a consensus that no single solution will be able to meet all required objectives, and a set of varied tools and solutions will instead be necessary.
The system will have “three important characteristics: to be privacy-enhancing, be user-centric, [and] be voluntary”, explains Naomi Lefkovitz, Senior Attorney at the Federal Trade Commission. The system would be designed to reveal certain attributes required in a particular context rather than a full identity. Going back to the earlier example of age verification, one could image the following scenario: A minor wants to enter an online chat room designed for kids; in order to enter, he has to provide a sort of certificate that could, for example, be issued by the minor’s school and serve as proof of his age. The school would only provide the certificate and would not be able to control or access information regarding its use, says Naomi Lefkovitz. The result would be a clear improvement over the existing situation.
At this point, people familiar with the online identity space will likely say that this is just another initiative that will end up achieving little. Yet there is hope: Not only has the importance of the topic increased dramatically with the rise of online activity, but the initiative seems to have broad support from the White House to industry leaders. When one of the audience members at the OTA conference lamented that the panel reminded him of the movie “Groundhog Day”, Ari Schwartz promised to “sing ‘I got you babe’ [the song to which Bill Murray’s character wakes each morning] if things haven’t moved forward in 4 years”. And, as they say, it ain’t over ‘til the federal bureaucrat sings.
For further information on online identity initiatives and projects I recommend taking a look at the NSTIC strategy draft, an online group called Identity Commons, OpenID technology and foundation, Information Cards, the Data Portability Project, as well as my personal blog rsquaredblog.com.